Incident Response, TDR, Vulnerability Management

Ground system for weather satellites contains thousands of ‘high-risk’ bugs

The U.S. Department of Commerce Office of Inspector General (OIG) is urging the National Oceanic and Atmospheric Administration (NOAA) to quickly patch several high-risk vulnerabilities in the Joint Polar Satellite System (JPSS) ground system.

The JPSS ground system is used to collect data from numerous polar-orbiting weather satellites, and to distribute the information to global users, according to a memo from Allen Crawley, assistant inspector general for systems acquisition and IT security, to Kathryn Sullivan, under secretary of commerce for oceans and atmosphere and NOAA administrator.

In a recent audit, the OIG identified 23,868 high-risk vulnerability instances in the JPSS ground system for the second quarter of the fiscal year (FY) 2014, which is up from 14,486 high-risk vulnerabilities identified in the first quarter of FY 2012.

“If exploited, these [high-risk] vulnerabilities may make it possible for attackers to significantly disrupt the JPSS mission of providing critical data used in weather forecasting and climate monitoring,” Crawley wrote in the memo. 

Most issues will be addressed in another two years in the next version of the system, Crawley wrote, but many of the identified high-risk vulnerabilities can be fixed now by making only minor tweaks to the current system, including to the more than 9,100 instances of software versions either being out-of-date or lacking security patches, software being insecurely configured, and users having unnecessary software or operating system privileges. 

Additionally, adjustments can be made to the more than 3,600 instances of password and auditing settings that are incorrectly configured, according to JPSS policy, as well as to unnecessary software applications that need eliminating and the three bugs identified during penetration tests in 2012.

The findings are telling that NOAA is not keeping up with its required remediation of flaws, which is within 30 days upon identification of high-risk vulnerabilities and quarterly for moderate to lower risk bugs, the memo indicates.

The problem is compounded because the vulnerabilities within the JPSS software have been known publicly for years and, furthermore, tools are available on the internet that can be used to exploit many of the bugs, Crawley wrote. 

“In response to our draft memorandum, NOAA concurred with our recommendations,” Crawley wrote. “NOAA indicated that it had already implemented [a] recommendation [to use system update processes for quickly applying critical patches], explaining that it remediated the Heartbleed vulnerability during the third quarter of FY 2014.”

Crawley and Sullivan did not respond to requests for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.